CM-14 Signed Components
Prevent the installation of cm-14_prm_1 without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
| Parameter ID | Definition |
|---|---|
| cm-14_prm_1 | organization-defined software and firmware components |
| cm-14_odp.01 | software components |
| cm-14_odp.02 | firmware components |
Baselines
- L Not selected
- M Not selected
- H Not selected
- P Not selected
Guidance
Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.
References 1
- IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
Related controls 4
- CM-07 Least Functionality L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P